The flaw allow the attacker to write arbitrary text to file and direct victims to external payloads and even the computer can take over. The popular gaming platform uses the steam:// URL protocol in order to run, install and uninstall games, backup files, connect to servers and reach various sections dedicated to customers.

It is possible to Safari, Maxthon and Firefox and other browsers based on the Mozilla engine, this quietly Steam URLs to invoke.

In report they said that browsers including Firefox and software clients including RealPlayer would execute the external URL handler without warnings and were “a perfect vector to perform silent Steam browser protocol calls”.

The researchers demonstrated how users on the massive Source game engine, which hosts games like Half-Life and CounterStrike, could be attacked. They used four commands to write custom code to file, including a bat file that executes commands when users started up Steam. They were also able to execute remote malicious code via the Unreal engine which was affected by many integer overflow vulnerabilities.

"In one proof of concept involving the Steam browser, attackers used malicious YouTube links within Steam user profiles to bait users. Users who viewed the videos and wished to leave comments would be phished with malicious steam:// URLs that pointed to external sites." explained by Darren Pauli.